TikiService is a new .NET Service Binary that allows you to run a TikiTorch payload via the Service Control Manager (à la PsExec). TikiTorch.cna has also been updated to create a new Cobalt Strike function: tikiexec, that automates its use. This blog post provides a brief overview and usage examples.

Service Binary

As with all TikiTorch projects, the bulk of the process hollowing code lives within the TikiLoader - so the service binary is relatively simple. In my the previous post I explained my design decision for passing in user-specified arguments as parameters, so that we can compile a “generic” binary and have Aggressor provide shellcode on-the-fly.

Instead of trying to provide these on the command line, I opted to utilise the Configuration Manager. This is often seen in the Solution Explorer as App.config.

Within this file, you can add appSettings options that come in the form of a key with an associated value. Here we create “placeholders” for Binary and Shellcode.

Now in the binary, we can use the ConfigurationManager class to read these values in at runtime and just handle them as normal.

Aggressor

Before importing the CNA, you must provide paths to CsExec.exe (from my MiscTools repo), TikiService.exe and TikiService.exe.config.

The tikiexec command expects a listener and architecure, for which it will generate base64 encoded shellcode.

It will then read in the config and[insert the Binary and Shellcode values. TikiService.exe and TikiService.exe.config are uploaded to C:\Windows\Temp on the target. CsExec is then executed via execute_assembly to create, start, stop and delete a new service.

The service name, description and binpath etc are passed in as args, so these can be changed in the CNA to suite your preference.

We attempt to link to the new beacon, and then the binary and config file are removed.

Demo